b'Report No. D-2009-097           July 30, 2009\n\n\n\n\n    Data Migration Strategy and Information\n     Assurance for the Business Enterprise\n             Information Services\n\x0cAdditional Information and Copies\nTo obtain additional copies of this report, visit the Web site of the Department of Defense\nInspector General at http://www.dodig.mil/audit/reports or contact the Secondary Reports\nDistribution Unit at (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\nSuggestions for Audits\nTo suggest or request audits, contact the Office of the Deputy Inspector General for Auditing by\nphone (703) 604-9142 (DSN 664-9142), by fax (703) 604-8932, or by mail:\n\n                      ODIG-AUD (ATTN: Audit Suggestions)\n                      Department of Defense Inspector General\n                      400 Army Navy Drive (Room 801)\n                      Arlington, VA 22202-4704\n\n\n\n\nAcronyms and Abbreviations\nATO            Authority to Operate\nBEA            Business Enterprise Architecture\nBEIS           Business Enterprise Information Services\nBTA            Business Transformation Agency\nBTG            Business Transformation Guidance\nCA             Certifying Authority\nDAA            Designated Accrediting Authority\nDCAS           Defense Cash Accountability System\nDCD/DCW        Defense Corporate Database/Defense Corporate Warehouse\nDDRS           Defense Departmental Reporting System\nDFAS           Defense Finance and Accounting Service\nETP            Enterprise Transition Plan\nFFMIA          Federal Financial Management Improvement Act of 1996\nFMFIA          Federal Managers Financial Integrity Act of 1982\nGAO            Government Accountability Office\nOMB            Office of Management and Budget\nPOA&M          Plan of Action and Milestones\n\x0c                                     INSPECTOR GENERAL \n\n                                    DEPARTMENT OF DEFENSE \n\n                                     400 ARMY NAVY DRIVE \n\n                                ARLINGTON, VIRGINIA 22202-4704 \n\n\n                                                                                     July 30, 2009\n\n\nMEMORANDUM FOR DEPUTY CHIEF MANAGEMENT OFFICER\n               DIRECTOR, BUSINESS TRANSFORMATION AGENCY\n\nSUBJECT: Data Migration Strategy and Information Assurance for the Business Enterprise\n         Information Services (Report No. D2009-097)\n\n\nWe are providing this report for review and comment. We performed this audit because DoD is\nimplementing the Business Enterprise Information Services (BEIS) system to consolidate\nfinancial information and provide Enterprise-wide financial reporting. We considered\nmanagement comments on a draft of this report in preparing the final report.\n\nDoD Directive 7650.3 requires that all recommendations be resolved promptly. The comments\nfrom the Assistant Deputy Chief Management Officer were partially responsive. Therefore, we\nrequest additional comments on Recommendations A.l., A.2., B.l., B.2., BJ., C.l., and C.2. by\nAugust 31, 2009. See the recommendations table on page ii.\n\nPlease provide comments that conform to the requirements of DoD Directive. Ifpossible, send\nyour comments in electronic format (Adobe Acrobat file only) to auddbo@dodig.mil. Copies of\nyour comments must contain the actual signature of the authorizing official. We cannot accept\nthe / Signed / symbol in place of the actual signature. If you send classified comments\nelectronically, you must send them over the SECRET Internet Protocol Router Network\n(SIPRNET).\n\nWe appreciate the courtesies extended to the staff. Please direct questions to me at (703)\n601-5868 (DSN 329-5868).\n\n\n\n                                    t~a/J1~\n                                    PatriciaA.\n                                             Marsh, CPA \n\n                                  Assistant Inspector General \n\n                                  Defense Business Operations \n\n\x0c\x0cReport No. D2009-097 (Project No. D2008-D000FB-120.000) \t                              July 30, 2009\n\n\n              Results in Brief: Data Migration Strategy\n              and Information Assurance for the\n              Business Enterprise Information Services\n                                                          \xef\x82\xb7\t coordinate with the Defense Finance and\nWhat We Did                                                  Accounting Service (DFAS) to develop a\nWe audited the Business Enterprise Information               data migration strategy identifying key\nServices (BEIS) system to determine whether it               milestones and a critical path for\nhad a comprehensive data migration plan, met                 transferring the functionality of 13 legacy\ninformation assurance (Federal Information                   systems to BEIS;\nSecurity Management Act) standards, and met               \xef\x82\xb7\t separate the roles of Certifying Authority\nthe standards for the Federal Financial                      and Designated Accrediting Authority by\nManagement Improvement Act of 1996                           assigning them to two individuals;\n(FFMIA).                                                  \xef\x82\xb7\t develop a comprehensive security plan that\n                                                             fulfills OMB and DoD information\nWhat We Found                                                assurance requirements and develop\nWe determined that the Business                              procedures for testing those requirements\nTransformation Agency (BTA) internal controls                annually;\nwere not adequate. We identified internal                 \xef\x82\xb7\t develop a methodology for annually\ncontrol weaknesses in the BTA data migration                 reviewing the BEIS \xe2\x80\x9cfamily of systems\xe2\x80\x9d for\nstrategy, information assurance, and FFMIA                   compliance with FFMIA and Federal\ncompliance. Specifically, BTA did not:                       Managers Financial Integrity Act of 1982;\n\xef\x82\xb7 have an effective data migration strategy for           \xef\x82\xb7\t assess whether the BEIS \xe2\x80\x9cfamily of\n   Components to follow for converting legacy                systems\xe2\x80\x9d complies with FFMIA mandatory\n   systems to the Business Enterprise                        and technical Core Financial Management\n   Architecture (BEA);                                       System requirements and standards; and\n\xef\x82\xb7\t determine the sequence or schedule for when            \xef\x82\xb7\t develop a remediation plan for correcting\n   the functionality of 13 legacy systems would              any deficiencies noted.\n   be transferred to BEIS;\n\xef\x82\xb7\t separate the certification and accreditation           Management Comments\n   processes, thereby creating a potential conflict\n   of interest;                                           and Our Response\n\xef\x82\xb7\t have a security plan that met Office of                The Assistant Deputy Chief Management\n   Management and Budget (OMB) and DoD                    Officer (Assistant Deputy) responded and\n   requirements; and                                      generally agreed with developing a data\n\xef\x82\xb7 test BEIS for compliance with FFMIA.                    migration strategy and coordinating with\nImplementing the recommendations would                    DFAS on converting legacy systems\nimprove internal controls and BEIS efforts on             functionality. The Assistant Deputy\ndata migration, information security, and                 recognized the need for adhering to security\nFFMIA compliance.                                         guidelines, but stated DoD\xe2\x80\x99s position is that\n                                                          each program maintain its own comprehensive\nWhat We Recommend                                         security plan. We request that the Assistant\nWe recommend that the Director, Business                  Deputy reconsider DoD\xe2\x80\x99s position on not\nTransformation Agency;                                    assessing BEIS against FFMIA requirements\n\xef\x82\xb7 revise the Business Transformation                      because system change requests may have\n  Guidance to include a detailed, standardized            affected its compliance. We request\n  methodology prescribing best practices for              additional comments by August 31, 2009.\n  data migration from DoD legacy systems to               Please see the recommendations table on the\n  the BEA structure;                                      back of this page.\n\n\n                                                      i\n\x0cReport No. 02009-097 (Project No. D2008-DOOOFB-120.000)                   July 30, 2009\n\n\n\n\nRecommendations Table\n\n\nManagement                     Recommendations                 No Additional Comments\n                               Requiring Comment               Required\nAssistant Deputy Chief         A.I., A.2., 8.1., 8.2., 8.3.,\nManagement Officer             C.I., and C.2.\n\nPlease provide comments by August 31, 2009.\n\n\n\n\n                                            2\n\x0cTable of Contents\nResults in Brief                                                                    i\n\nIntroduction                                                                        1\n\n       Objectives                                                                   1     \n\n       Background                                                                   1     \n\n       Review of Internal Controls                                                  2\n\n\nFinding A. Business Transformation Agency Data Migration Strategy                   4\n\n\n       Recommendations, Management Comments, and Our Response                       7\n\n\nFinding B. Information Assurance                                                    9\n\n\n       Recommendations, Management Comments, and Our Response                      11 \n\n\nFinding C. Financial Reporting Compliance                                          13 \n\n\n       Recommendations, Management Comments, and Our Response                      14 \n\n\nAppendices\n\n       A. \tScope and Methodology                                                   16 \n\n              Prior Coverage                                                       17     \n\n       B. Future Businesses Enterprises Information Services Systems Transitions   18 \n\n       C. Glossary of Technical Terms \t                                            19 \n\n\nManagement Comments\n\n       Assistant Deputy Chief Management Officer Comments \t                        21 \n\n\x0c\x0cIntroduction\nWe performed this audit because DoD is implementing the Business Enterprise Information\nServices (BEIS) system to consolidate financial information and provide Enterprise-wide 1\nfinancial reporting. BEIS will build upon existing infrastructure to provide timely, accurate, and\nreliable business information from across DoD to support auditable financial statements, as well\nas provide detailed information for management in support of the warfighter.\n\nObjectives\nOur audit objectives were to determine whether BEIS:\n\n       \xef\x82\xb7\t had an adequate data migration plan,\n\n       \xef\x82\xb7\t met information assurance (Federal Information Security Management Act) standards,\n          and\n\n       \xef\x82\xb7\t met the standards for the Federal Financial Management Improvement Act of 1996\n          (FFMIA).\n\n    See Appendix A for our scope and methodology.\n\nBackground\nThe FY 2005 National Defense Authorization Act required DoD to develop an enterprise\narchitecture, a transition plan, and a governance plan for business systems modernization. To\naccomplish these tasks, the Deputy Secretary of Defense established the Business\nTransformation Agency (BTA) on October 7, 2005. The BTA mission is to guide the\ntransformation of business operations throughout DoD and to deliver Enterprise-level\ncapabilities that meet warfighter needs. BTA also develops and facilitates the DoD-wide\nprocesses for the maintenance, refinement, approval, and implementation of the Business\nEnterprise Architecture (BEA).\n\nBusiness Enterprise Architecture\nThe BEA is the DoD information infrastructure, and it includes processes, data standards, and\nbusiness rules. It defines DoD\xe2\x80\x99s business transformation priorities, business capabilities, and the\ncombinations of systems and initiatives that enable these capabilities. The BEA guides the\nevolution of DoD business capabilities Enterprise-wide and explains what DoD must do to\nachieve interoperable business processes. The BEA incorporates applicable laws, regulations,\npolicies, and standards.\n\nEnterprise Transition Plan\nBTA is responsible for developing, maintaining, and executing the Enterprise Transition Plan\n(ETP). The ETP describes the transformation of business operations within DoD as being driven\nby business enterprise priorities and business capabilities. It establishes a program baseline to\nmeasure progress, and it provides DoD internal and external stakeholders with a comprehensive\nview of the goals, objectives, and timeframes for DoD initiatives to convert to the BEA. BTA\nissues the ETP in March and September annually.\n\n\n\n1\n \xe2\x80\x9cEnterprise-wide\xe2\x80\x9d refers to DoD and all of its organizational entities. See the Glossary of Technical Terms at\nAppendix C for the definition of this and other technical terms.\n\n\n                                                         1\n\n\x0cFinancial Management Improvement\nAccording to the September 2008 ETP, from FY 2007 to FY 2009 DoD was to spend about\n$930.7 million for implementing Defense Business Transformation. Of that amount, DoD\nplanned to spend about $132.3 million on improved financial management. The DoD strategy\nfor improved financial management included implementing BEIS.\n\nBEIS business objectives were to:\n\n   \xef\x82\xb7\t create financial data that can be tracked throughout the enterprise,\n\n   \xef\x82\xb7\t enhance and expand access to authoritative sources of financial management information\n      for timely analysis (DoD Enterprise-level business intelligence),\n\n   \xef\x82\xb7\t enable the linkage of resources to business outcomes,\n\n   \xef\x82\xb7\t implement standard data elements for financial reporting, and\n\n   \xef\x82\xb7\t eliminate existing financial management weaknesses and deficiencies.\n\nThe BEIS was based on a \xe2\x80\x9cfamily of systems\xe2\x80\x9d concept where existing Defense Finance and\nAccounting Service (DFAS) legacy financial system capabilities were transferred into the DoD\nenterprise financial solution. By FY 2020, BTA planned to transfer the functionality of 13\nDFAS legacy systems into BEIS (see Appendix B). The BEIS current family of systems\nincluded the Defense Corporate Database/Defense Corporate Warehouse (DCD/DCW), the\nDefense Departmental Reporting System (DDRS), and the Defense Cash Accountability System\n(DCAS).\n   \xef\x82\xb7\t DCD is a financial and accounting database that captures, edits, and validates the\n       required source data, facilitates research and corrections, stores the data in a shared\n       database, and summarizes the data at the level required for reporting. DCW contains data\n       repositories that assist in data consolidation, standardization, and simplification and that\n       improve the automated support provided by DCD. DCW summarizes the data required\n       for producing standard agency-wide and departmental reports. DCW retrieves budget,\n       accounting, and other functional data to support budget formulation, financial contract\n       administration, cost accounting, and managerial accounting activities.\n\n   \xef\x82\xb7\t DDRS includes three separate modules. The DDRS Audited Financial Statements\n      module produces quarterly and annual financial statements for all of DoD. The Data\n      Collection module captures financial data from nonfinancial feeder systems to support\n      the financial statements and to report data from external DoD sources. The Budgetary\n      module produces monthly and quarterly budgetary reports.\n\n   \xef\x82\xb7\t DCAS reports expenditure data to the Treasury and includes the processing of\n      transactions by others and transactions for others, the management of interfund and\n      intragovernmental activity, and the performance of other Treasury and departmental\n      functions.\nReview of Internal Controls\nWe identified internal control weaknesses for BEIS as defined by DoD Instruction 5010.40,\n\xe2\x80\x9cManagers\xe2\x80\x99 Internal Control (MIC) Program Procedures,\xe2\x80\x9d January 4, 2006. BTA did not have\nan effective data migration strategy because BTA transition guidance focused on Enterprise-level\nimplementation, instead of providing the Components with sufficient detail and a standard\nmethodology for aligning their systems to the BEA. Also, the BTA strategy lacked best\n\n\n                                                2\n\n\x0cpractices for data migration and its data migration schedule for BEIS was unrealistic, because\nBTA planned to transfer 13 DFAS legacy systems to BEIS by FY 2020, but it had not\ncoordinated with DFAS to determine when and the sequence in which the legacy systems\xe2\x80\x99\nfunctionality should transfer to BEIS (Finding A).\n\nA potential conflict of interest existed in the BEIS information assurance certification and\naccreditation process, because BTA designated the same individual to serve as both Certifying\nAuthority and Designated Accrediting Authority for the BEIS family of systems. The BEIS\nsecurity plan did not meet the requirements specified by the Office of Management and Budget\n(OMB) and DoD (Finding B). BTA did not fully comply with financial reporting requirements\nof the FFMIA and the Federal Managers Financial Integrity Act of 1982 because BTA had not\ndeveloped a methodology for performing a complete FFMIA assessment of the BEIS family of\nsystems since obtaining system ownership in 2005 (Finding C).\n\nImplementing the recommendations would improve internal controls and BEIS efforts on data\nmigration, information security, and FFMIA compliance. We will provide a copy of the final\nreport to the senior official responsible for internal controls at BTA.\n\n\n\n\n                                                3\n\n\x0cFinding A. BTA Data Migration Strategy\nBTA did not have an effective data migration strategy because its transition guidance focused on\nEnterprise-level implementation, instead of providing the Components with sufficient instruction\nand examples of a standard methodology to use for aligning their systems to the BEA structure.\nThe guidance also lacked best practices for data migration and its data migration schedule for\nBEIS was unrealistic. BTA planned to transfer the functionality of 13 DFAS legacy systems to\nBEIS by FY 2020, but it had not coordinated with DFAS to determine when and the sequence in\nwhich the legacy systems\xe2\x80\x99 functionality should transfer to BEIS. Without data migration best\npractices, detailed instructions for a standard methodology, and examples for the Components to\nfollow, the BTA data migration strategy jeopardized the Components\xe2\x80\x99 ability to deploy\nconsistent financial management systems that could achieve BEA compliance. In addition, the\nlack of coordination with DFAS means that it may take 11 years for BTA to transfer legacy\nsystem functionality to BEIS and may cost the DoD $231 million. Given the rapid changes in\ntechnology, DoD\xe2\x80\x99s current migration plan may not support its goal of realizing financial\nmanagement improvement and access to accurate, reliable information under the BEIS family of\nsystems in a timely manner.\n\nBTA Transition Guidance\nThe BTA data migration strategy was not effective because BTA transition guidance focused on\nthe Enterprise-level implementation, did not include sufficient instruction and examples of a\nstandard methodology for the Components to follow for converting their systems to the BEA\nstructure, and lacked data migration best practices. BTA issued the ETP and the Business\nTransition Guidance (BTG) to provide needed information on converting systems to the BEA\nstructure.\n\nEnterprise Transition Plan\nThe ETP focused on the Enterprise-level implementation and lacked detailed process steps to\nfollow for converting data from the current structure to the BEA target structure. The ETP gave\nDoD internal and external stakeholders an overview of the systems and initiatives that could\nimprove business operations; however, the ETP cannot be used as a plan for data migration.\nData migration is complicated because of the need to convert data from a wide variety of\ntransactional, legacy, and third-party data sources into a new structure. Although the ETP\ndescribed what DoD is trying to achieve and provided a high-level synopsis of DoD-wide goals,\nobjectives, and proposed budget costs, it did not include a methodology for converting data and\nsystems into a new structure. Because the BEA specified requirements for data elements,\nbusiness rules, and standards, a transition plan should include a similarly detailed process for\nconverting Component system functionality to the target structure.\n\nBusiness Transformation Guidance\nThe Component-level instructions for implementing the BTG five-step process for the Defense\nBusiness Transformation lacked sufficient detail to provide the Components with a standard\nmethodology for aligning their systems to the BEA. BTA issued the BTG in July 2007 to\nclarify roles and to establish common processes at the enterprise, Component, and program\nlevels.\n\nThe five-step process includes:\n\n   1. setting priorities (identifying desired outcomes),\n   2. analyzing and approving solutions,\n\n\n                                                4\n\n\x0c   3. building and refining a required architecture and transition plan,\n   4. defining and funding the programs, and\n   5. executing and evaluating the business transformation.\n\nThe BTG focused on the Enterprise-level transformation, and the five-step process lacked\ndetailed instructions for the Components to follow. For example, on the setting priorities step,\nthe Enterprise-level instructions included a discussion of how BTA determined Enterprise-level\npriorities, along with a flowchart on identifying problems, mission needs, material weaknesses,\nunanswered questions, and desired outcomes. However, the Component and program levels did\nnot feature those items and did not show a detailed flowchart. In addition, the BTG stated that\neach Component is responsible for establishing its Component-level priorities to support and\ncomplement the business enterprise priorities. Specifically, the Component instructions stated:\n\n               Components nominate Business Enterprise Priority candidates, review them, and\n               provide additional input to help define each Business Enterprise Priority. When\n               Business Enterprise Priorities are identified at the DoD Enterprise level, each\n               Component aligns the appropriate systems, standards, architectures, and plans to\n               support achievement of Business Priority objectives.\n\n               Components define Component priorities to address Component-specific\n               mission needs or problems that either complement Business Enterprise Priorities\n               or those not addressed by them [sic].\n\nThese instructions were not at the same level of detail as the Enterprise-level instructions. The\nBTG lacked clarity on how a Component would use the above instructions for aligning systems,\nstandards, architectures, and plans to achieve the business priority objectives. In addition, the\nBTG stated that Components should consider:\n\n   \xef\x82\xb7   complexity of the need, problem, or solution,\n   \xef\x82\xb7   potential benefit of improving one or more business capabilities,\n   \xef\x82\xb7   level of risk,\n   \xef\x82\xb7   \xe2\x80\x9cbreadth of the elements\xe2\x80\x9d for the perceived solution, and\n   \xef\x82\xb7   speed of capability improvement.\n\nThe BTG did not elaborate on these considerations or provide examples of how to apply them.\nAlthough the BTG provided examples of a strong and a weak business priority candidate, none\nof the BTG examples demonstrated the entire five-step process. Including an example that starts\nwith the first step\xe2\x80\x94setting priorities\xe2\x80\x94and flows through to the last step\xe2\x80\x94executing and\nevaluating the Business Transformation\xe2\x80\x94would help the Components to apply the five-step\nprocess to their mission needs and align their systems to the BEA. Therefore, BTA should revise\nthe BTG to include complete instructions for the Components to follow and examples that show\nhow each of the five steps relate to each other and the listed considerations.\n\nData Migration Best Practices\nNeither the ETP nor the BTG discussed best practices for data migration. Basic data migration\nbest practices include identifying the data and data backup, data mapping, data cleansing,\ntransforming the data, validating converted data, and ensuring that migrated data moved as\nanticipated. The ETP and BTG did not include instructions for mapping user expectations and\nneeds, identifying data sources and targets, evaluating the data quality, analyzing gaps between\nthe current capabilities and potential capabilities, or assessing the effort required to design, code,\ntest, and implement the data migration at the Component level or program level. Neither the\nETP nor the BTG discussed data integrity, policies, processes, procedures, controls\nimprovements, and implementation of integrated systems. In addition, neither document\n\n\n                                                      5\n\n\x0caddressed information assurance standards and requirements nor how the Components should\nimplement those standards and requirements during system conversion to the BEA structure.\n\nWithout data migration best practices, detailed instructions for a standard methodology, and\nexamples for the Components to follow, the BTA data migration strategy jeopardized the\nComponents\xe2\x80\x99 ability to deploy consistent financial management systems that can achieve BEA\ncompliance. The Enterprise-level approach described in the ETP and BTG did not provide the\nguidance and support that Components needed to align their systems to the BEA. Without clear\nand detailed guidance for implementing data migration across DoD systems, the Components\nwill have difficulty achieving and maintaining the high-quality data that are critical to: (1) being\nable to track transactions throughout the enterprise, (2) enhancing business intelligence,\n(3) linking resources to business outcomes, and (4) eliminating weaknesses and deficiencies.\nBecause one of the goals of DoD is to achieve interoperable business processes, data migration\nshould be developed and implemented in a standardized process. Therefore, we recommend that\nBTA revise the BTG to include a detailed, systematic, standardized methodology that would\nprescribe best practices for data migration, data integrity, and the overall transition into the BEA\nstructure across DoD.\n\nBEIS Data Migration Schedule\nThe BEIS data migration schedule was unrealistic because BTA planned to transfer the\nfunctionality of 13 DFAS legacy systems to BEIS by FY 2020, but it had not coordinated with\nDFAS to determine when and the sequence in which the legacy systems\xe2\x80\x99 functionality should be\ntransferred to BEIS. The lack of coordination with DFAS means that it may take 11 years for\nBTA to transfer legacy system functionality to BEIS and may cost the DoD $231 million. With\nthe rapid changes in technology, DoD may be at risk for not realizing its goals of financial\nmanagement improvement and access to accurate and reliable information under the BEIS family\nof systems concept in a timely manner.\n\nThe ETP contained a master list of target systems and related legacy systems, along with\npotential migration dates. For BEIS, the ETP master list showed 13 of 15 legacy systems with a\nfinal migration date of September 30, 2020 (see Appendix B). However, the master list did not\nshow a detailed schedule of when, during the 11 years from FY 2009 to FY 2020, the\nfunctionality of those legacy systems would transfer into BEIS. In addition, the ETP did not\nprovide a critical path for the order in which legacy system functionality would migrate.\nEffective project management should include critical path techniques such as listing all activities\nrequired to complete the project, the time allowed to complete them, and related dependencies\nbetween the activities.\n\nWhen asked about the transition of the 13 legacy systems\xe2\x80\x99 functionality into BEIS, BTA officials\nstated that they did not know when the transfers would occur because DFAS still owned the\nsystems. BTA had not coordinated with DFAS to develop a detailed project plan or critical path\nto ensure that FY 2020 was a realistic migration completion date.\n\nThe ETP stated that for FY 2009, BTA planned to spend about $21 million on BEIS. After\n11 years, assuming that the FY 2009 BEIS budget amount continued in future years, DoD could\nspend up to $231 million to achieve this financial management goal. According to the ETP,\nBEIS supports the DoD goal for financial management improvement by providing immediate\naccess to accurate and reliable financial information, which would allow efficient and effective\ndecision-making. Given rapidly changing technology, the lack of coordination with DFAS, and\nthe 11-year timeline for transferring legacy system functionality, DoD is at risk for not meeting\nits financial management goal. By outlining dependent and related activities and reducing\nredundant efforts, a critical path data migration strategy may help to reduce the potential 11-year\ntimeline and may reduce the $231 million potential cost. Therefore, we recommend that BTA\n\n\n                                                 6\n\n\x0ccoordinate with DFAS to develop a detailed data migration strategy that identifies key\nmilestones and a critical path for transferring the functionality of the 13 legacy systems to the\nBEIS family of systems.\n\nRecommendations, Management Comments,\nand Our Response\nDuring the comment period, the BTA was reorganized under the Assistant Deputy Chief\nManagement Officer, who responded for the Department.\n\nA. We recommend that the Director, Defense Business Transformation Agency:\n\n1. Revise the Business Transformation Guidance to include complete instructions for the\nComponents to follow and examples that show how the five steps relate to each other and\nthe listed considerations. In addition, include in the revision a detailed, systematic,\nstandardized methodology that would prescribe best practices on data migration, data\nintegrity, and overall transition into the Business Enterprise Architecture environment\nacross the Department of Defense.\n\nAssistant Deputy Chief Management Officer Comments\nThe Assistant Deputy Chief Management Officer (Assistant Deputy) partially agreed, stating that\nBTA was in the process of developing a concept of operations, detailing data integrity and data\nmigration activities, with an expected release date in 4th quarter FY 2009. However, the\nAssistant Deputy disagreed with revising the BTG to include data migration and data integrity\nactivities because the intent of the BTG was not for that purpose and other documents provide\nthat level of detail.\n\nOur Response\nThe Assistant Deputy\xe2\x80\x99s comments are partially responsive. The Assistant Deputy comments on\nBTA development of a concept of operations only addressed the data migration and data\nintegrity portion of the recommendation. Therefore, we request a listing of the documents that\nprovide the prescribed detail. We also request additional comments on how and to what extent\nthe concept of operations would provide instructions for the Components to follow, examples\nthat show how the five steps relate to each other and the listed conditions, and overall transition\ninto the BEA across DoD.\n2. Coordinate with the Defense Finance and Accounting Service to develop a detailed data\nmigration strategy that identifies key milestones and a critical path for the migration of the\n13 legacy systems into the Business Enterprise Information Services.\n\nAssistant Deputy Chief Management Officer Comments\nThe Assistant Deputy partially agreed that the Department should develop a detailed data\nmigration strategy for those systems whose data would require migration to BEIS. The\ncomments indicated that the details about whether all 13 systems would require data migration\nare currently under development and that once determined, the data migration strategy could be\ndeveloped. The comments also indicated that BTA and DFAS are working together on this\neffort and would provide regular status updates, when requested.\n\nOur Response\nThe Assistant Deputy\xe2\x80\x99s comments are partially responsive. The Assistant Deputy agreed with\nthe need for a data migration strategy and coordination with DFAS, but indicated that\n\n\n                                                 7\n\n\x0cdetermining whether all of the systems would require data migration and developing a detailed\nstrategy for this are under way. Therefore, we request additional comments on whether the items\nunder development would address key milestones or a critical path for transferring the legacy\nsystem functionality into BEIS and the anticipated date for developing the data migration\nstrategy.\n\n\n\n\n                                               8\n\n\x0cFinding B. Information Assurance \n\nA potential conflict of interest existed in the BEIS information assurance certification and\naccreditation process because BTA had designated the same individual to serve as both\nCertifying Authority (CA) and Designated Accrediting Authority (DAA) for the BEIS family of\nsystems. Also, the BEIS security plan did not meet OMB and DoD requirements because it was\nnot comprehensive and did not include procedures for reporting and resolving security incidents,\ntraining before granting system access, and testing for continuity of operations for the three\nessential systems under BEIS. As a result, the BEIS certification and accreditation authorities\nmay have accepted undue risk when accrediting BEIS for operation.\n\nCertification and Accreditation\nA conflict of interest 2 may exist because BTA named the same individual as the CA and the\nDAA for the BEIS family of systems. The DAA issued an Authority to Operate (ATO) for the\nBEIS family of systems on November 14, 2008. An ATO is a formal notification of an\naccreditation decision by a DAA to accept the risk associated with operating a DoD information\nsystem. An ATO signifies that a DoD system has adequately implemented all assigned\ninformation assurance controls.\n\nWhile preparing to obtain the ATO, the certification authority recommended that severity codes\nfor 9 of the 13 reported security weaknesses listed in the July 2008 BEIS Plan of Action and\nMilestones (POA&M) be lowered. This was significant because system weaknesses are assigned\nseverity codes to indicate risk level and the urgency for corrective action. Category 1\nweaknesses were the most severe, and the system owner must correct them before obtaining an\nATO. Category 2 weaknesses were moderately severe, and the system owner must correct them\nor satisfactorily mitigate them before obtaining an ATO. Category 3 were the least severe and\ndo not prevent a DAA from issuing an ATO.\n\nSix of the nine weaknesses were lowered from Category 2 to Category 3, and a Category 1\nweakness was lowered to Category 2. The lowered Category 1 weakness indicated that the\nconfiguration control board 3 had not held regular meetings, and had not assessed subsequent\nsystem change requests for information assurance impact prior to implementation. This is\nsignificant because from FY 2006 to FY 2008, the program managers for the three essential\nsystems for BEIS had submitted 1,209 system change requests.\nAn individual who serves as both the CA and the DAA, has the ability to recommend lowered\ncategory codes and then approve them, creating a lack of segregation of duties and a potential\nconflict of interest. The magnitude of risk increases with each system migration, and the\npotential migration of 13 legacy systems into BEIS represents a high level of risk (Finding A).\nWithout regular meetings of the configuration control board to assess the information assurance\nimpact of system change requests, the ATO\xe2\x80\x99s purpose of accepting the risk for system\naccreditation loses its significance. Therefore, BTA should appoint separate individuals to the\ncertification and accreditation functions and positions to ensure that other missions or business\n\n\n2\n  A conflict of interest and lack of independence exist when an individual has both certifying authority and\naccrediting authority for the same system. Dividing duties among two or more individuals diminishes the likelihood\nthat errors and wrongful acts could go undetected, because the activities of one individual would serve as a check on\nthe activities of the other.\n3\n  The DoD configuration management process includes a configuration control board that meets regularly and\nimplements procedures to ensure a security review and approval of all proposed DoD information system changes.\n\n\n                                                         9\n\n\x0cfunctions relying on the BEA are not compromised. In addition, BTA should ensure that the\nBEIS configuration control board meets regularly to review and approve all system change\nrequests prior to implementation.\n\nSecurity Planning\nBTA had not developed a comprehensive plan that included procedures for reporting and\nresolving security incidents, training before granting system access, and testing for continuity of\noperations for the three essential systems under BEIS.\n\nBTA stated that its BEIS certification and accreditation package met the requirements for a\nsecurity plan. The BEIS certification and accreditation package included:\n\n   \xef\x82\xb7\t a summary report that contained only a list of weaknesses, their corresponding control\n      numbers, and severity;\n\n   \xef\x82\xb7\t a System Identification Profile that listed only items such as system name, version or\n      release number, system description, and accreditation; and\n\n   \xef\x82\xb7\t a POA&M of listed security weaknesses.\n\nIn addition, BTA issued the BEIS Acquisition Information Assurance Strategy in June 2008. Its\npurpose was to provide the groundwork for integrating information assurance management into\nthe BEIS family of systems. The strategy included a high-level discussion on the data flow from\nthe three essential systems under BEIS.\n\nHowever, neither the documents contained in the BEIS certification and accreditation package\nnor the BEIS Acquisition Information Assurance Strategy provided a comprehensive plan that\nmet the requirements prescribed in OMB Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal\nAutomated Information Resources,\xe2\x80\x9d November 28, 2000, and DoD Instruction 8500.2,\n\xe2\x80\x9cInformation Assurance Implementation,\xe2\x80\x9d February 6, 2003.\n\nOMB A-130 requires agencies to ensure that information is protected at a level commensurate with\nthe risk and magnitude of the harm that would result from the loss, misuse, or unauthorized access to\nor modification of such information. OMB A-130 also states that agency security plans include\nrules of the system, training, personnel controls, incident response capability, continuity of\noperations, technical security, and system interconnection. DoD Instruction 8500.2 requires that\nagencies implement a system security plan as part of their information assurance documentation\nthat describes the technical, administrative, and procedural information assurance program. It\nmust also identify specific requirements and objectives for data handling, dissemination, system\nredundancy, and emergency response.\n\nWithout a comprehensive security plan in place, BTA has no assurance that BEIS has a level of\nprotection commensurate with the risk and potential magnitude of loss, misuse, or unauthorized\naccess. In addition, the lack of segregation of duties discussed previously in this finding,\ncombined with the request and implementation of 1,209 system changes, means that BTA may\nhave been unaware of some BEIS risks when it issued the November 2008 ATO. Therefore,\nBTA should develop a comprehensive, overall security plan that meets OMB Circular A-130,\nAppendix III, and DoD Instruction 8500.2 requirements and develop procedures for testing those\nrequirements annually.\n\n\n\n\n                                                 10\n\n\x0cRecommendations, Management Comments,\nand Our Response\nThe Assistant Deputy Chief Management Officer responded for the Department.\n\nB. We recommend that the Director, Business Transformation Agency:\n\n1. Separate the roles of Certifying Authority and Designated Accrediting Authority by\nassigning them to two individuals.\n\nAssistant Deputy Chief Management Officer Comments\nThe Assistant Deputy disagreed and stated that BTA is fully compliant with DoD Instruction\n8510.01, \xe2\x80\x9cDoD Information Assurance Certification and Accreditation Process (DIACAP),\xe2\x80\x9d\nNovember 28, 2007, which does not require the CA and the DAA to be separate individuals. In\naddition, the comments stated the CA and DAA resided within the Office of the Chief\nInformation Officer and reports to a directorate that is organizationally separate from the\nprogram-level information assurance officers. The CA and DAA have no Directorate-level\norganizational affiliation with the system owners. In addition, because of limited staff size, there\nare no plans to separate the two roles at this time.\n\nOur Response\nThe Assistant Deputy\xe2\x80\x99s comments are partially responsive. Although the Assistant Deputy cites\nthe DIACAP as reason for having one individual perform the duties of both the CA and DAA\npositions, the fact that the CA/DAA resides in a different office from the system owners does not\nsatisfy the safeguard that assigning these responsibilities to separate individuals would\naccomplish.\n\nIn May 2004, the National Institute of Standards and Technology issued Special Publication 800-\n37, \xe2\x80\x9cGuide for the Security Certification and Accreditation of Federal Information Systems.\xe2\x80\x9d\nThis guide states that independence of the certification agent is an important factor in assessing\nthe credibility of the security assessment results and ensuring that the authorizing official\nreceives the most objective information possible in order to make an informed, risk-based\naccreditation decision. In addition, the guide states that caution be exercised when one\nindividual fills multiple roles in the security certification and accreditation process to ensure that\nthe individual retains an appropriate level of independence and remains free from conflicts of\ninterest. Because the BEIS staff member who serves as CA/DAA is able to recommend changes\nto the severity codes and then approve those same changes, the potential for conflict of interest\nexists. The lack of independence between the two positions does little to ensure a sound security\nposture for the information systems and diminishes the acceptable level of risk typically assumed\nwith the issuance of the ATO. Therefore, we request that the Assistant Deputy reconsider her\nposition and designate two individuals\xe2\x80\x94one to serve as the CA and another to serve as DAA.\n\n2. Ensure that the Business Enterprise Information Services configuration control board\nmeets regularly to review and approve all system change requests prior to implementation.\nAssistant Deputy Chief Management Officer Comments\nThe Assistant Deputy agreed, but did not provide any other information.\n\n\n\n\n                                                 11\n\n\x0cOur Response\nThe Assistant Deputy\xe2\x80\x99s comments are partially responsive. Although the Assistant Deputy\nagreed, the comments did not provide any further information. Therefore, we request additional\ncomments on when the configuration control board would meet, how and to what extent they\nwould review and approve all system change requests before implementation, and expected\ncompletion date of any procedures or policies issued.\n\n3. Develop a comprehensive, overall security plan that meets Office of Management and\nBudget Circular A-130, Appendix III, and DoD Instruction 8500.2 requirements, and\ndevelop procedures for testing those requirements annually.\n\nAssistant Deputy Chief Management Officer Comments\nThe Assistant Deputy disagreed, but recognized the need for strong plans for adhering to\napplicable security guidelines. However, the comments stated that because of the diversity of\nBTA\xe2\x80\x99s programs, the DoD\xe2\x80\x99s position was that having each program maintain its own set of\ncomprehensive security documents and prepare its own exhibit to comply with OMB\nCircular A-130, Appendix III, was beneficial to overall security.\n\nOur Response\nThe Assistant Deputy\xe2\x80\x99s comments are partially responsive. The Assistant Deputy comments did\nnot state how and when comprehensive security exhibits would be prepared for DCD/DCW,\nDDRS, and DCAS that would comply with OMB Circular A-130, Appendix III, and DoD\nInstruction 8500.2 requirements. Therefore, we request additional comments on how and when\nthe comprehensive security exhibits for those requirements are to be developed and tested.\n\n\n\n\n                                               12\n\n\x0cFinding C. Financial Reporting Compliance\nBTA did not fully comply with financial reporting requirements of the Federal Financial\nManagement Improvement Act of 1996 (FFMIA) and the Federal Managers Financial Integrity\nAct of 1982 (FMFIA) because BTA had not developed a methodology for performing a complete\nFFMIA assessment of the BEIS family of systems since obtaining system ownership in 2005. As\na result, BTA had no assurance that the 1,209 system change requests submitted for the BEIS\nfamily of systems do not conflict with FFMIA requirements and make its FMFIA annual\nStatement of Assurance inaccurate.\n\nCompliance With FFMIA\nBTA had not tested BEIS, as a family of systems, for FFMIA compliance, although BTA\nobtained ownership of BEIS in 2005. The FFMIA requires agencies to have financial\nmanagement systems that substantially comply with the Federal financial management system\nrequirements. The three essential systems under BEIS did not have recent tests for FFMIA\ncompliance. For example, as the previous system owner, DFAS tested DCD/DCW in 2004 and\nDCAS in 2006. DFAS also tested two of the three DDRS modules: the Audited Financial\nStatement module (in March 2001) and the Budgetary Reporting module (in August 2002). The\nthird module, Data Collection, was not tested.\n\nBTA had not developed a methodology for performing a complete FFMIA compliance\nassessment of the BEIS family of systems. BTA stated that it planned to conduct a BEIS\nassessment after obtaining Milestone C approval. 4 In addition, because BTA did not have\nconfiguration control board meetings, it had no assurance that the 1,209 system change requests\n(Finding B) did not adversely affect BEIS compliance with FFMIA technical and administrative\nrequirements.\n\nOMB A-127, \xe2\x80\x9cFinancial Management Systems,\xe2\x80\x9d states that each agency must have an ongoing\nfinancial systems improvement planning process and perform periodic reviews of its financial\nsystems capabilities. The \xe2\x80\x9cOffice of Federal Financial Management: Core Financial System\nRequirements,\xe2\x80\x9d January 2006, provides Federal mandatory functional and technical financial\nmanagement system requirements that must be met to be compliant with Federal standards\nmandated by the FFMIA. Because BTA had not recently tested BEIS as a family of systems,\nand had not developed a methodology for conducting the tests, it had no assurance that BEIS met\nthe FFMIA financial system requirements. Therefore, BTA should develop a methodology for\nimplementing an annual assessment of the BEIS family of systems in accordance with FFMIA\nrequirements.\n\nStatement of Assurance Accuracy\nBTA did not fully report internal control results as required under FMFIA. The BEIS Statement\nof Assurance issued on August 29, 2008, listed no material weaknesses. Section 4 of the FMFIA\nrequires an annual statement by the agency head indicating whether the financial management\nsystems conform to Federal financial management system requirements. FMFIA also requires\nthat if the agency\xe2\x80\x99s systems do not substantially conform to financial systems requirements, the\nstatement of assurance must report those instances and discuss the agency\'s plans for bringing its\nsystems into substantial compliance. Because of the BEIS system change requests and lack of\n\n4\n Achieving Milestone C means that the Milestone Decision Authority authorizes limited deployment in support of\noperational testing for the major acquisition information system. BEIS obtained Milestone C approval on April 29,\n2009.\n\n\n                                                       13\n\n\x0crecent FFMIA compliance testing, the 2008 Statement of Assurance showing no material\nweaknesses may be inaccurate. Therefore, BTA should assess whether the BEIS family of\nsystems complies with FFMIA mandatory and technical Core Financial Management System\nrequirements and FMFIA standards. In addition, BTA should develop a remediation plan for\ncorrecting any deficiencies noted.\n\nRecommendations, Management Comments,\nand Our Response\nC. We recommend that the Director, Business Transformation Agency:\n\n1. Develop a methodology for implementing an [annual] assessment of the Business\nEnterprise Information Services family of systems, in compliance with the Federal\nFinancial Management Improvement Act of 1996 Core Financial Management System\nrequirements.\nAssistant Deputy Chief Management Officer Comments\nThe Assistant Deputy disagreed and stated that FFMIA does not require an annual assessment.\nThe comments stated that BEIS is achieving FFMIA compliance in increments. DDRS and\nDCD/DCW achieved compliance in 2001 and 2004 respectively (Increment 1). On March 31,\n2009, the Acting Defense Business Systems Acquisition Executive agreed to move DCAS to\nIncrement II where testing for interoperability and FFMIA would occur. DCAS plans to achieve\ncompliance before obtaining a Full Deployment Decision Review no later than first quarter 2011.\n\nOur Response\nWe consider the comments partially responsive. FFMIA does not specifically require an annual\nassessment, but the Core Financial System Requirements implements the provisions of FFMIA\nand OMB A-127, \xe2\x80\x9cFinancial Management Systems,\xe2\x80\x9d July 23, 1993, and states that each agency\nmust have an ongoing financial systems improvement planning process and perform periodic\nreviews of its financial system capabilities. Although BEIS (Increment 1) received Milestone C\napproval in April 2009, the Milestone C Acquisition Decision Memorandum did not address\nFFMIA as a necessary requirement. With the submission of 1,209 system change requests from\nFY 2006 through FY 2008 for the three essential systems, DDRS and DCD/DCW compliance\nwith FFMIA may be in jeopardy.\n\nIn addition, DCAS reports expenditure data to the Treasury and includes the processing of\ntransactions by others and for others and the performance of other Treasury and departmental\nfunctions. Waiting until 2011 to test interoperability and FFMIA compliance means that a\nportion of the BEIS family of systems would not achieve compliance for approximately 2 years.\nIt is essential that DCAS be compliant with FFMIA because Fund Balance with Treasury\nManagement is a Core Financial System Requirement. Therefore, we request that the Assistant\nDeputy reconsider DoD\xe2\x80\x99s position, and provide additional comments on currently assessing\nDCD/DCW and DDRS for potential noncompliance and on the DCAS testing timeframe.\n\n2. Assess whether the Business Enterprise Information Services family of systems complies\nwith Federal Financial Management Improvement Act of 1996 mandatory functional and\ntechnical Core Financial Management System requirements and the Federal Managers\nFinancial Integrity Act of 1982 standards, and develop a remediation plan for correcting\nany deficiencies noted.\n\n\n\n\n                                              14\n\n\x0cAssistant Deputy Chief Management Officer Comments\nThe Assistant Deputy partially agreed with the recommendation. The Assistant Deputy agreed\nwith assessing BEIS against FFMIA requirements. However, the comments reiterated the\nresponse to recommendation C.1. on the compliance of DCD/DCW, and DDRS and the future\ncompliance of DCAS. The comments also stated that a Management Control Matrix is\nsubmitted annually for the BEIS family of systems. In addition, the comments stated that\ndevelopment of a remediation plan was not required because there were no material weaknesses\nidentified through FFMIA and FMFIA assessments.\n\nOur Response\nThe Assistant Deputy\xe2\x80\x99s comments are partially responsive. The Assistant Deputy agreed with\nassessing BEIS against FFMIA requirements, but the comments appear to be in conflict. BEIS\nincludes three essential systems, DCD/DCW, DDRS, and DCAS. However, the comments state\nthat DCD/DCW and DDRS are FFMIA compliant and that DCAS is scheduled for testing in\n2011.\n\nFFMIA states that agencies are to implement and maintain financial management systems that\ncomply substantially with financial management systems requirements. FMFIA requires that if\nthe agency\xe2\x80\x99s systems do not substantially conform to financial systems requirements, the\nstatement of assurance must report those instances, and discuss the agency\xe2\x80\x99s plans for bringing\nits systems into substantial compliance. One of the systems within the BEIS family of systems is\nnot compliant, thus there should be a FFMIA assessment.\n\nIn addition, because of the 1,209 BEIS system change requests and no recent testing against the\nfinancial management system requirements, it is unclear whether there really were no material\nweaknesses for BEIS family of systems, and whether the 2008 Statement of Assurance was\naccurate. Therefore, we request additional comments on when the complete assessment for\nBEIS against FFMIA requirements is to occur and whether there is a need for developing a\nremediation plan.\n\n\n\n\n                                               15\n\n\x0cAppendix A. Scope and Methodology\nWe conducted this performance audit from February 2008 to March 2009 in accordance with\ngenerally accepted government auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objectives. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit objectives.\n\nOur initial audit scope included the review of BEIS as an individual system. After discussions\nwith the Business Transformation Agency BEIS Program Executive Officer, we learned that\nBEIS is a family of three separate, essential systems. Therefore, we did not evaluate BEIS\nenterprise level capabilities for financial reporting and we revised our scope to a review of BEIS\ndocumentation for the two remaining objectives and a review of the BTA management and\noversight for the BEIS implementation and deployment. We briefed BTA management on the\nchange of scope on April 18, 2008.\n\nWe assessed the effectiveness of information assurance documentation on the three essential\nsystems of the Business Enterprise Information System. We inspected System Security\nAuthorization Agreements, System Information Plans, and other relevant control documentation\nlocated at the three program management offices and the Business Transformation Agency. We\ninterviewed the BEIS Program Executive Officer; the program managers for Defense\nDepartmental Reporting System and the Defense Cash Accountability System; and the\nEnterprise Integration Office Director at the Business Transformation Agency, Arlington,\nVirginia. We also interviewed the DFAS Corporate Database/DFAS Corporate Warehouse\nprogram manager and the BEIS Information Assurance Officer, located in Indianapolis, Indiana.\n\nWe used the following criteria to perform this audit:\n\n   \xef\x82\xb7\t DoD Instruction 5105.80, \xe2\x80\x9cDefense Business Transformation Agency (BTA),\xe2\x80\x9d \n\n      November 12, 2008, \n\n\n   \xef\x82\xb7\t DoD Instruction 8500.01E, \xe2\x80\x9cInformation Assurance (IA),\xe2\x80\x9dApril 23, 2007\n\n   \xef\x82\xb7\t DoD Instruction 5010.40, \xe2\x80\x9cManagers\xe2\x80\x99 Internal Control (MIC) Program Procedures,\n      January 4, 2006,\n\n   \xef\x82\xb7   DoD Instruction 5000.2, \xe2\x80\x9cOperation of the Defense Acquisition System,\xe2\x80\x9d\n\n       May 12, 2003, and \n\n\n   \xef\x82\xb7\t DoD Instruction 8500.2, \xe2\x80\x9cIA Implementation,\xe2\x80\x9d February 6, 2003.\n\nWe also used the following applicable laws and regulations: the Federal Financial Management \n\nImprovement Act of 1996; the Federal Managers Financial Integrity Act of 1982; \n\nOMB Circular A-123, \xe2\x80\x9cRevisions to OMB Circular A-123, Management\xe2\x80\x99s Responsibility for \n\nInternal Control,\xe2\x80\x9d December 21, 2004; OMB Circular A-127, \xe2\x80\x9cFinancial Management Systems,\xe2\x80\x9d \n\nJuly 23, 1993;OMB Circular A-130, \xe2\x80\x9cManagement of Federal Information Resources, \n\nTransmittal 4,\xe2\x80\x9d November 30, 2000, and National Institute of Standards and Technology Special \n\nPublication 800-37, \xe2\x80\x9cGuide for the Security Certification and Accreditation of Federal \n\nInformation Systems,\xe2\x80\x9d May 2004. \n\n\n\n\n\n                                                16\n\n\x0cUse of Computer-Processed Data\nWe did not use computer-processed data to perform this audit.\n\nPrior Coverage\nDuring the last 5 years, the Government Accountability Office (GAO) and the Department of\nDefense Inspector General (DoD IG) have issued nine reports discussing the business\ntransformation and the BEIS. Unrestricted GAO reports can be accessed over the Internet at\nwww.gao.gov. Unrestricted DoD IG reports can be accessed at www.dodig.mil/auditreports.\n\nGAO\nGAO Report No. GAO-09-586, \xe2\x80\x9cDOD Business Systems Modernization: Recent Slowdown in\nInstitutionalizing Key Management Controls Needs to Be Addressed,\xe2\x80\x9d May 18, 2009\n\nGAO Report No. GAO-08-462T, \xe2\x80\x9cDefense Business Transformation: Sustaining Progress\nRequires Continuity of Leadership and an Integrated Approach,\xe2\x80\x9d February 7, 2008\n\nGAO Report No. GAO-07-733, \xe2\x80\x9cDoD Business Systems Modernization: Progress Continues to\nBe Made in Establishing Corporate Management Controls, but Further Steps Are Needed,\xe2\x80\x9d\nMay 14, 2007\n\nGAO Report No. GAO-07-229T, \xe2\x80\x9cDefense Business Transformation: A Comprehensive Plan,\nIntegrated Efforts, and Sustained Leadership Are Needed to Assure Success,\xe2\x80\x9d November 16,\n2006\n\nGAO Report No. GAO-06-219, \xe2\x80\x9cDoD Business Systems Modernization: Important Progress\nMade in Establishing Foundational Architecture Products and Investment Management Practices,\nbut Much Work Remains,\xe2\x80\x9d November 23, 2005\n\nGAO Report No. GAO-05-702, \xe2\x80\x9cDoD Business System Modernization: Long-standing\nWeaknesses in Enterprise Architecture Development Need to Be Addressed,\xe2\x80\x9d July 22, 2005\n\nDoD IG\nDoD IG Report No. D-2007-087, \xe2\x80\x9cInternal Controls Over Army General Fund Transactions\nProcessed by the Business Enterprise Information Services,\xe2\x80\x9d April 25, 2007\n\nDoD IG Report No. D2006-068, \xe2\x80\x9cFinancial Management: Implementation of the Business\nEnterprise Information Services for the Army General Fund,\xe2\x80\x9d March 31, 2006\n\nDoD IG Report No. D2006-008, \xe2\x80\x9cDefense Departmental Reporting System and Related\nFinancial Statement Compilation Process Controls Placed in Operation and Tests of Operating\nEffectiveness for the Period October 1, 2004, through March 31, 2005,\xe2\x80\x9d October 24, 2005\n\n\n\n\n                                              17\n\n\x0cAppendix B. Future BEIS System Transitions \n\nSystem Name                               End Migration Date                System Turn-Off Date\n\nCollection and Expenditures\nProcessing Reconciliation (CEPR)                  To Be Determined                  To Be Determined\n\nCash History On-Line Operator\nSearch Engine (CHOOSE)                            9/30/2020                         To Be Determined\n\nCash Reconciliation System (CRS)                  9/30/2020                         To Be Determined\n\nDepartmental Financial Reporting and\nReconciliation (DFRR)                              9/30/2020                        To Be Determined\n\nDeposit In Transit (DIT)                          9/30/2020                         To Be Determined\n\nDisbursing Returns Overseas and\nAfloat Activities (DRO)                            9/30/2020                        To Be Determined\n\nFinancial Operations Support (FOS)                9/30/2020                         To Be Determined\n\nFinancial Reporting System -\nAccounting (FRS-Acctg)                            10/30/2007                        12/30/2008\n\nHeadquarters Accounting and\nReporting System (HQARS)                          9/30/2020                         To Be Determined\n\nInternational Balance of Payments\n(IBOP)                                            9/30/2020                         To Be Determined\n\nNavy Prompt Payment Interest (NPPI)               9/30/2020                         To Be Determined\n\nCheck Recertification (RECERT)                    9/30/2020                         To Be Determined\n\nStandard Accounting, Budgeting and\nReporting System (SABRS)                          9/30/2020                         To Be Determined\n\nSuspense/Aging Monitoring System\n(SAMS)                                            9/30/2020                         To Be Determined\n\nTransactions By Others (TBO)                       9/30/2020                        To Be Determined\n\nNote: Although the Enterprise Transition Plan September 2008, Appendix A, shows 15 systems migrating to BEIS,\nonly 13 of these 15 systems were to migrate by 2020.\nSource: BTA, Enterprise Transition Plan, September 2008, Appendix A\n\n\n\n                                                     18\n\n\x0cAppendix C. Glossary of Technical Terms\nBusiness Transformation Guidance. The Business Transformation Guidance provides a five-\nstep process for transforming DoD business operations. The steps include:\n\n   1.   setting priorities (identify desired outcomes),\n   2.   analyzing and approving a solution (analyze the problem),\n   3.   building and refining a required architecture and transition plan,\n   4.   defining and funding the programs, and\n   5.   executing and evaluating the business transformation\n\nComponent-level Business Transformation. Components develop strategies, schedules, and\nbudgets for their Component Transformation, then implement these plans. Components are\nresponsible not only for executing their individually assigned missions, but also for ensuring that\njoint operations run smoothly and that information flows freely across the enterprise so the DoD\ncan function as a cohesive whole.\n\nConfiguration Management. The DoD configuration management process includes\nrequirements for formally documenting configuration management responsibilities; a\nconfiguration control board that implements procedures to ensure a security review and approval\nof all proposed DoD information system changes; a testing process to verify proposed\nconfiguration changes prior to implementation; and a verification process to provide additional\nassurance that the configuration process is working effectively and that changes outside the\nprocess are technically or procedurally not permitted.\n\nData migration. The process of translating data from one format to another and may involve\nthe restructuring of data by merging fields or changing formats. Data migration transforms data\nfrom a variety of transactional, legacy, current, and historical data sources into a new\nrepresentation of the data. This requires the data to be:\n\n    \xef\x82\xb7   profiled and extracted from current systems,\n    \xef\x82\xb7   cleansed of incorrect, redundant or outdated records,\n    \xef\x82\xb7   transformed into the new data representations,\n    \xef\x82\xb7   tested to ensure that the data migrated correctly, and\n    \xef\x82\xb7   loaded into the new application environment.\n\nDefense Acquisition System. According to DoD Instruction 5000.2, \xe2\x80\x9cOperation of the Defense\nAcquisition System,\xe2\x80\x9d May 12, 2003, Milestone C authorizes entry into deployment in support of\noperational testing for major acquisition information systems. The Milestone Decision Authority\ncommits DoD to production at Milestone C.\n\nDesignated Accrediting Authority. The official with the authority to assume formal\nresponsibility for operating a system at an acceptable level of risk. This term is synonymous\nwith Designated Approving Authority and Delegated Accrediting Authority.\n\nDoD Information System. Set of information resources organized for the collection, storage,\nprocessing, maintenance, use, sharing, dissemination, disposition, display, or transmission of\ninformation. Includes automated information system applications, enclaves, outsourced\ninformation technology-based processes, and platform interconnections.\n\nEnterprise. Refers to the Department of Defense, including all of its organizational entities.\n\n\n                                                 19\n\n\x0cEnterprise Architecture. A management practice for aligning resources to improve business\nperformance and help agencies execute their core missions. An enterprise architecture describes\nthe current and future state of the agency, and lays out a plan for transitioning from the current\nstate to the desired future state.\n\nEnterprise-level Transformation. This includes data standards, business rules, specific\nsystems, and an associated integration layer of interfaces for the Components. These standards\nare established through cooperation and represent the \xe2\x80\x9crules of engagement\xe2\x80\x9d to which all DoD\nComponents must adhere. Thus, while the Department is not dictating how to transform, it is\nensuring that each Component\xe2\x80\x99s transformational program increases the Department\xe2\x80\x99s ability to\nreap the benefits of improved information exchange across organizational boundaries. This type\nof integration will drive the Department down the path to interoperability and accelerate the\nServices\xe2\x80\x99 transformation efforts.\n\nInformation Assurance. Measures that protect and defend information and information systems\nby ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. This\nincludes providing for restoration of information systems by incorporating protection, detection,\nand reaction capabilities.\n\nInformation Assurance Certification and Accreditation. The standard DoD approach for\nidentifying information security requirements, providing security solutions, and managing the\nsecurity of DoD information systems.\n\nInformation Assurance Control. An objective information assurance condition of integrity,\navailability, or confidentiality achieved through the application of specific safeguards or through\nthe regulation of specific activities expressed in a specified format (such as a control number, a\ncontrol name, control text, and a control class). Specific management, personnel, operational,\nand technical controls are applied to each DoD information system to achieve an appropriate\nlevel of integrity, availability, and confidentiality.\n\nMilestone C. Achieving Milestone C means that the Milestone Decision Authority authorizes\nentry into limited deployment in support of operational testing for the major acquisition\ninformation system.\n\nTiered Accountability. DoD implemented tiered accountability for accomplishing the overall\nbusiness transformation. It requires each tier in the DoD organizational hierarchy to focus on\nonly those requirements that are relevant for that specific tier. The three accountability tiers are:\n\n      Enterprise Level. At the Enterprise tier, the Defense Business Systems Management\nCouncil, the Principal Staff Assistants, and the Business Transformation Agency work with the\nComponents to create architectures, develop plans, make decisions, and manage the execution of\nDoD-wide business capability improvements.\n\n        Component Level. The Components are responsible for developing and maintaining\ntheir architecture transition plans, cost and schedule data, and performance data that should detail\ntheir priorities and integration with the Business Enterprise Architecture and the Enterprise\nTransition Plan. The Components are charged as pre-certification authorities for performing the\nnecessary due diligence that would ensure compliance is achieved and certifies achievement\nduring the annual investment review process and at appropriate milestone decision points.\n\n        Program Level. Program managers and program executive officers ensure program\ninformation is current, complete, and accurate. They are responsible for developing the program\ntransition plan that integrates with transition plans at the enterprise and Component levels.\n\n\n                                                 20\n\n\x0cManagement Comments \n\n\n  Assistant Deputy Chief Management Officer Comments\n\n\n\n\n                        OFI\'"ICE OF D\xc2\xa3PUTY C HIl!I\' MANAG EMEN T OFFICER\n                                           1010 D IVItNS& f\'\xc2\xa3HTA _\n                                          W4SHINGTON. gc &0101 \'10\'0\n\n\n\n\n                                                                                IlAT -1 2009\n        Ms. HoUy Willi .....\n        ProgamDireet\xc2\xab\n        Automated Finandal Sy51nM Division\n        Defense Business Operali_\n        Dqetmem of lleferue Office of lrospector 0cncr.I\n        400 Army Navy Drive\n        Attin&\\on. VA 22202-4104\n\n        Dcar Ms. Wi lliams :\n\n               This is the IXparIment of Ocfensoo (DoD) respon$C\' to the Dor> [nspc:clorGeneraI\n        (10) d~ft rcp<)rt on the "Data Migr.lion Stralegy and Information AssunJ\\C\'e for the\n        BlISions Enlcrpri:tC Infonnation Services (9 EIS), ~ tIatcd March 23, 2009 <ProjOCl No.\n        DlOO\'-OOOOFB.()120.000).\n\n               Of ille 5e\\\'U1 n::convnmdationa is&ued, the ~ COUI:W\'1I ....\xc2\xb7jlb 0lIl: ( R.2),\n        pomaJly QOMIIII " \'illl three (A.I . A.2, and Col) and noo-c:onCUfS wittllhrec (8.1, 8J. aJId\n        C. I). On n:conmmdatiollS wilt!. partial 000C\\II"I"Q\'l either the Depu1menl agm:s in\n        prDciple ""iIh!he inlenl ofdle ruommerwIaliool, but bIG dtono:n ... altcmali ,\'C path for\n        ifI\'Iplemcnllna the ~Iion or part of~ n:commclldallon 11\\1)\' roc.: bcapplicable.\n        On r\xc2\xabO<nmcndatioos wilh. oon-<:ODCIII\'TCIICC, c;-.lSling feda\'al or DoD policies do nOi\n        ~irc: the RWfIImcndcd action.\n\n                The [)eportmmllpprml1C11 the DoD 10\'. U!lCS5lTlellt or lbe BSS fami ly of\n        J)1tenu,   II1d we wi ll \xc2\xablnlinuc 10 eVl luate the pwwam \'s dnll migration and Infonnati Otl\n        assutVICc \\(I ident ifY arc.. for continued improvement. All the Department continues 10\n        move fOl\'Wlrd, we welcome the DoD IG"s m..iglll and P\'"n kipalion in ouron-aoioa\n        dc fenJc: busi_ tran,formation effons.\n\n\n\n\n                                                   fJ~e-\n                                                   AsiUlanI Dq!uty ChiefMlbllaemeal Off",,""\n\n\n\n\n                                                               21\n\n\x0c [)q>utmont of De f"\'$< Respcnp\nDoD Jnspennr Genet\'llJ DrafI Repo"{l\'tojeo:l No. D20Q8.0000fB-012MOO)\nD.... Mi&rMion Stml"8.)\'.no:! Infi>rmllioa ABunonce f\xc2\xab the BE IS\n\n\n RE COMMENDATION A. I; We recommend that the Director. Bus iness\nTrans fonnation Ag..=ncy (8TA) revise ttle BU$intSS TrPJl\'[ormation Guidan ce\n( BTG) to include complete instroction for the Components to follow and examples\nthat mow how the five steps relate to each other and the listed considCl":ll.ti Cll\\$. In\naddition, ind ude in thl: revi sion II dela iled. systematic. standardized lfK\'Ihodology\nthat would prescribe bc:5t prncticcs on Mill m igration, datil integrity, and overall\ntnIr1sition into the Business EnterpriseArehitecture (BEA) environment ael"OSS the\nDepanment o fDe[cnsc (Dol\xc2\xbb\n\nDOD RESPONSEi P.niliHy Concur.\n\nThe Department recognizes the need for further guidance concerning dala inlcgrity\nand data migration. The BTA is in the proecs!! of developing 8 Concept o f\nOper.uions that detai ls thc=se activ itiei, with an expected release date o f 4th quarter\nFY09.\n\nHowever. the Department dOC$ 001 concur w ith including such additiOOli ill the\nBTO because the document is not intended to provide the level ofdelailthat the\nDoD 10 is prcs<:ribing. Per pagc 6 of the BTG, ftThe intenl of this guidance is to:\nI) Frlltne the ovcrllll lJe feme Uusi ne$S Transformntion Approach; 2) Clilfify roles\nofpartidp.uls; 3) Establish common prOCCSSe$ to govern, manage, plan, and\nexecute businCMlrWtsforma tion at alllcveJs; !Md/ 4) [)cs(:ribe required\narehitecture Ind pl anning information. lITO do\xc2\xab nO( provide detail ed. step-by\xc2\xad\nstep procedwes for developing arehitecture producllI, transition plan prodllClll, or\nprogram acquisition do<:umenlation.ll~~h ofthc:ie products has its own governing\ndocumenlll thai provide this deta il.-\n\nREC OMMENDATION A.2: We c\xc2\xabommend that the Din:ctor. BusIDcss\nTransformation Agen\xc2\xa2y coordinate with the Do:f<:nSC Finunce and Account ing\nService (DFAS) to develop a detai led data mignttion strategy that identifi es key\nmilestones and II critieol path for the migrati on of the 13 legacy sySlcms into the\nBusiness Enterpris~ Informlllion Services (BE IS).\n\nDOD RESPO NSE: Panitilly Cooeur.\n\nFor those systems whose data w ill require migTlltion to BEIS. the Department\nconcurs wi th tbe recommendation to dev~lop a detailed data migration strategy.\nHowever, details regarding whether all 13 s)\'I5tems \'will rcquil\'\xc2\xa2 data migralion are\ncurrentl y under devel opment. Once detcnnined, the datil migration strategy for the\nsystems Ihat will req uire migration can be devel oped. DFAS and BTA are\n\n\n                                                                          p.    1 of~\n\n\n\n\n                                               22\n\n\x0cDoparunent of De fense RcsponKI\nDoD InspectOr GMenll Draft RC\'POI\'I (Proj\xc2\xabt No. D2008-DOOOFS-<l120.000)\nOm MiWVion SmlesY and Informal... iUsunI.... rQl"cbc SillS\n\ncommitted co working lose-her onth; s effort and upon <eqUC$t will providc regular\nSl3tUS updal es.\n\nRF. COMM.ENDAT ION 0 . 1 We m:ommend that the Oireclor, Business\nT ral\\$ formlltion Agency scpll11lte!he roles ofCenitying Authority (CA) ~nd\nDc5ignated Accrediting Authori ty (OM) by ItI;signinj th~,.... to two individuals.\n\n000 RESPONSE: Non\xc2\xb7Concur.\n\nThe BT A is fully compliant w ith the [)OD Informalion Assurance Certification and\nAccred ilalion Process (DIACAP) rqu l3lion:; as stipulated in DoO Instruction\n8051 0.0 1, whi<:h dOC$ not require the CA and OM to be separale Individuals.\n\nTho:: BTA reo;ogni1~ Ihe need 10 proccct!he security oflhe Agency\'s syStemS by\nseparating information IIl!5W"!1llCC roles and respOI"UIibili ties and mainlilining\nappropriate checks and balances. The CA/DM, who resides within the Office of\n!he Chiefin form. tion Officer (OCIO), rcpons to a DireClOTlltc that is\norgauilaliooally separu.tc from the Dirccloratcs that the program level in fonnation\nassurance OffiCM are assigned under. Therefore. the CA/DAi\\ has no Oi<ectoratc\xc2\xad\nlevel organil.alion~l affiliation wi th Ihe system owneD. Additionlllly, duo: to\nlimited stafT size within the OCIO, there arc /10 plans to icparate the CA and DAA\nroles at this time.\n\nRECOMMENDATION B.2; We m:ommend that the Director. Business\nTransfonnation Agency ensure that the BEIS configuration control board meets\nregularly to review and approve all system change reques ts prior to\nlmp l ~rmntarion .\n\n\nDOD RESPONSE: Concur.\n\nRECOMMENDATION B,3: WI; n:commend that !he OirC\'Ctor, Business\nTTlIn$formation Agen,y develop II o;omprehensive, 0\\\'<:1811 security plan that meets\nOffiCI; of Mana gem enI (OMB) C ircular A-130, Appendix III, and 0 00 Inmu cti on\n8500.2 requirements. wKi develop proo:edW"C$ for testing those requirements\nannually.\n\nOOD RESPONSE ; Non-Coocur.\n\nThe BTA re~O&" iU5 the need f.,.. str0ll& plll..O.S 10 eMUIe udhcrcncc with upplicable\nsecurity guidelines. 1\xc2\xb7lowever, due 10 the d iv~ nature of the UTA \'5 program!l, il\nis !he Depar1mcnt \'s posicion thaI il Is more beneficial overall security to have the\n\n\n                                                                            h&c2of4\n\n\n\n\n                                              23\n\n\x0cDepllrtrnent of Defense Response\n1)00 IIIspec:lorVeMral Dnll R.".,n (Project No. D200B\xc2\xb7DOOOFB-O t20,000)\nData MillJ\'lllon Strlt~""" I:ofonnoll"" ..... unn\'" forth. DEIS\n\nprograms maintain their own set o f comprehemive security documenl.ll_ Each\nprogram will prepsrt its 0"\\"1\'1 exhlbil lO comply wilh OM B Circu la r A- 110,\nAppel\'llJi>: Ill.\n\nRECOMMENDATION C.lj We recommend thai the Director, Businen\nTl\'IlfISformation Agcncy develop a melhodology for implementing an annual\nassessment of the BEIS fami ly of systems, in compliance with the Federal\nFina:ncial Managemenllmpro ..\'emenl ACI (FFM IA) o f 1996 Core Financia l\nManagement Sy!llcm rcquircrllcnlll .\n\nDOD RESPONSE: Non-COflCUT\n\nThe FFMIA of 1996 does 001 require an annual assessment.\n\nDEIS FFM IA compliancy is bei ng achieved in in cremenlS. Im;rementl, which\nincludes the Defense Departmental RtpOI\'ting System (DDRS) and De fense\nCocpomte DatabaselDcfeusc Corporate Warehouse (DCDlDCW), achieved\ncompliance in 2001 and 2004, l\'e$pCCrive ly. Incremcnr II, which indl.ldC$ lhe\nDl:fmse Cash Accountability System (DCAS), will achieve compliance prior 10\nobtainini a ful l Deployment Decision Review, ~li mated no lat~ than I " quarter\nPy I I. 1lK: Acting DDSAE hM approved this plan per the allaehed mcmora ndum\n(Atl.aduncllt A).\n\nRECOMMENDATION C,l: We recommend that the Director, IlllSinc!l!l\nTransfonnalion Agency 11$_ whether the BEIS fllm ily of~tems compli es with\nFFMIA of 1996 mandatory functional and techn ical CAm: Financial Manag.cmenl\nSystem requirements Ilnd Ihe F<:dend MIlnPg..,~ Fioanc iul int.,:wity Act (FMF IA)\nof 1982 Siandards, and devel op _ remediatioo plan fO\xc2\xa3 oorrccting any deficienc ies\nnoted ,\n\nnon RFSPONSF.: Partially Concur.\n\nThe Department concurs with the requirement to assess BEIS against .\' FMlA\nrequircmenl.ll. As stated in the Department \'s rcsponill! for Reeommendalion C.I ,\nIncrement I (DDRS, DCDlDCW) compliance was achieved in 2001 and 2004,\nrespcct;lI<:ly, 10 crumre th.1 it substanlially conformed to firu!.ncial S)\'stems\nrequirements, Increment II (OCAS) compliance will be ach ievcd prior to\nob\\.lli ning D Full Deployment D\xc2\xab ision Review for this incrcment. Additionally, a\nManagemen t Control Matrix has been ~ubmillcd tor the BEIS FllrTlily o( System!!\non an annual basis 6ince 2006.\n\n\n\n                                                                          POg< l of4\n\n\n\n\n                                              24\n\n\x0cDcpanm~nt of Dereoosc Respcm5C\nDoD Inspector GCllU1lI Draft R~PQI1 (ProjcC\'l No. D2008. DOOOFn.o 120.0(0)\nDala MiJftlIoll SlrlI~gy InC! Inromwion AMllranoo {or ,he SF-IS\n\nHowever, beeau.\'IC lhere have been no material weaknessn identified Ihmugh ttK:\nFFMIA and FMFIA asse:nffients, de\'o"elopmcnt ofa rem ed iation plan is not\ncurrently n:quin:d .\n\n\n\n\n                                                25\n\n\x0c                          BUSINESS TRANSFORMATION AGENCY\n                                       , ..,aouno .......ntUT\n                                         _     TOIl. VA 22a2\n\n\n\n\nMEMORANDUM\n\nT HRU PROORAM EXECUTIVE OFF ICER ENTER PRISE FINANCE\n\nFOR BUSINESS ENTERPRISE INFORMATION SERV ICES PROORAM MANAGER\n\nSUBJ ECT, Appro>..1of Rusinc::S$ Enttl\'flrise Information Ser.ices (BEIS) FlllllilyofSy$I<.mS (fuS)\nFedonJ Fi!WIciai M&II&J:ICtrIC\'Illmpruvaucnl Ac] (ffMlA)Cenifi~ioo Plan for Incr .......u l\n\nI !Ipp1)\\IC\'tbc BusincJs En1CqlrifC InlQnnalioo S<r.Iiccs (BEIS) fomily ofSyslcmI (FoS) 1naancn] 1\nplan for Federal Financial Managcmrnl ImpfO\\\'cmcm A~ (FFMIA)Ccrtificatioo ba5cdon\ndoc_ation pn::!ICIlIod.\n\nI aFe IbM both elemenlSof BEIS FoS Incnm .... l, Deffttse 0epNtmenta! RqIOnina S~\'JIem\n(DORS).oo OMS COrporate DatabaselDFAS Coxponte Warehouse (OCOIDC\'W). met !.he\ncertifICation m:j ~in:m"\'l \xe2\x80\xa2\xe2\x80\xa2 talod in the FFMIA of I~ (f\'IIbllc law 104-208) and ho".,dmnnined\nthe exi ... inaapprovcd FFMlA ""nificatioa pd;qoes rorOO\\b DCD/DeW.....s OORS "\'tidy the\nffM IA catific:ati"" fur BEIS FoS In~11.\n\nI ,J,..) _"\'" ";111 the BEIS PM reoommmdarion 10 .." ....c the Ddmsc Cash AcoounIobititySy$tem\n(OCAS) ponion or llle BEIS FOS in;\\$ entirety 10 iocfemcnl ll whae il will under!o the required\nlnteroperability(IOP) and I\'FMIAIFFMR validations.\n\n                                    Mr. TracyTyNn \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2\n\n\n\n\n                                             ~7~\n                                             Kei E. So.1II1Ila1\n                                             A -118 Director, Defense Bulinc.. Sy:nctnll\n                                              cquilition Ex_rive\n                                             Business TllWISfonn,alion Agmcy\n\n\n\n\n                                              26\n\t\n\x0c\x0c\x0c'